AD user authentication on vCenter fails with "Invalid Credentials" and "A vCenter Single Sign-On service error occurred"
search cancel

AD user authentication on vCenter fails with "Invalid Credentials" and "A vCenter Single Sign-On service error occurred"

book

Article ID: 402295

calendar_today

Updated On: 07-02-2025

Products

VMware vCenter Server

Issue/Introduction

  • Active Directory users are unable to authenticate to the vCenter Server and receive "Invalid Credentials" error messages when attempting to log in.
  • The authentication of the vSphere SSO account (administrator@vsphere.local) and all other users from the vsphere.local domain will be successful. 
  • The vCenter will report "A vCenter Single Sign-On service error occurred" when navigating to Administrator > Users and Groups, as seen below: 

  • The /var/log/vmware/sso/ssoAdminServer.log will report the following warnings and error traces. 

YYYY-MM-DDTHH:MM:SSZ WARN ssoAdminServer[803:pool-2-thread-24] [OpId=6afa2e35-42e8-4cf2-a3b9-36b1f1c656e9] [com.vmware.identity.interop.ldap.LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: 49

YYYY-MM-DDTHH:MM:SSZ WARN ssoAdminServer[803:pool-2-thread-24] [OpId=6afa2e35-42e8-4cf2-a3b9-36b1f1c656e9] [com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldaps://ldapserver.domain.com:636, CN=ldapservice_user,OU=ServiceAccounts,OU=ENT,DC=DOMAIN,DC=COM]

YYYY-MM-DDTHH:MM:SSZ ERROR ssoAdminServer[803:pool-2-thread-24] [OpId=6afa2e35-42e8-4cf2-a3b9-36b1f1c656e9] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldaps://ldapserver.domain.com:636] because [Invalid credentials] therefore will not attempt to use any secondary URIs

YYYY-MM-DDTHH:MM:SSZ ERROR ssoAdminServer[803:pool-2-thread-24] [OpId=6afa2e35-42e8-4cf2-a3b9-36b1f1c656e9] [com.vmware.identity.idm.server.provider.BaseLdapProvider] com.vmware.identity.interop.ldap.InvalidCredentialsLdapException: Invalid credentials\nLDAP error [code: 49]

YYYY-MM-DDTHH:MM:SSZ ERROR ssoAdminServer[803:pool-2-thread-24] [OpId=6afa2e35-42e8-4cf2-a3b9-36b1f1c656e9] [com.vmware.identity.idm.server.IdentityManager] Failed to find group [groupname.domain.com] for tenant [vsphere.local]
YYYY-MM-DDTHH:MM:SSZ ERROR ssoAdminServer[803:pool-2-thread-24] [OpId=6afa2e35-42e8-4cf2-a3b9-36b1f1c656e9] [com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.interop.ldap.InvalidCredentialsLdapException: Invalid credentials\nLDAP error [code: 49]'
com.vmware.identity.interop.ldap.InvalidCredentialsLdapException: Invalid credentials
        at com.vmware.identity.interop.ldap.LdapErrorChecker$28.RaiseLdapError(LdapErrorChecker.java:415) ~[vmware-identity-platform-7.0.0.jar:?]
        at com.vmware.identity.interop.ldap.LdapErrorChecker.CheckError(LdapErrorChecker.java:1102) ~[vmware-identity-platform-7.0.0.jar:?]
        at com.vmware.identity.interop.ldap.OpenLdapClientLibrary.CheckError(OpenLdapClientLibrary.java:1278) ~[vmware-identity-platform-7.0.0.jar:?]
        at com.vmware.identity.interop.ldap.OpenLdapClientLibrary.ldap_bind_s(OpenLdapClientLibrary.java:728) ~[vmware-identity-platform-7.0.0.jar:?]
        at com.vmware.identity.interop.ldap.LdapConnection.bindConnection(LdapConnection.java:130) ~[vmware-identity-platform-7.0.0.jar:?]
        at com.vmware.identity.idm.server.ServerUtils.getLdapConnection(ServerUtils.java:412) ~[vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.ServerUtils.getLdapConnectionByURIs(ServerUtils.java:271) [vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.provider.PooledLdapConnectionFactory.makeObject(PooledLdapConnectionFactory.java:38) ~[vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.provider.PooledLdapConnectionFactory.makeObject(PooledLdapConnectionFactory.java:17) ~[vmware-identity-idm-server-7.0.0.jar:?]
        at org.apache.commons.pool2.impl.GenericKeyedObjectPool.create(GenericKeyedObjectPool.java:1041) ~[commons-pool2-2.4.2.jar:2.4.2]
        at org.apache.commons.pool2.impl.GenericKeyedObjectPool.borrowObject(GenericKeyedObjectPool.java:357) ~[commons-pool2-2.4.2.jar:2.4.2]
        at org.apache.commons.pool2.impl.GenericKeyedObjectPool.borrowObject(GenericKeyedObjectPool.java:279) ~[commons-pool2-2.4.2.jar:2.4.2]
        at com.vmware.identity.idm.server.provider.LdapConnectionPool.borrowConnection(LdapConnectionPool.java:42) ~[vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.provider.BaseLdapProvider.borrowConnection(BaseLdapProvider.java:239) ~[vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.provider.BaseLdapProvider.borrowConnection(BaseLdapProvider.java:215) ~[vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider.borrowConnection(LdapWithAdMappingsProvider.java:2811) ~[vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider.findGroup(LdapWithAdMappingsProvider.java:1407) ~[vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.IdentityManager.findGroup(IdentityManager.java:6952) ~[vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.IdentityManager.findGroup(IdentityManager.java:11436) [vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.client.CasIdmClient.findGroup(CasIdmClient.java:3011) [vmware-identity-idm-client-7.0.0.jar:?]
        at com.vmware.identity.admin.server.ims.impl.PrincipalManagementImpl.findGroup(PrincipalManagementImpl.java:235) [sso-adminserver-7.0.0.jar:?]
        at com.vmware.identity.admin.vlsi.PrincipalDiscoveryServiceImpl$27.call(PrincipalDiscoveryServiceImpl.java:858) [sso-adminserver-7.0.0.jar:?]
        at com.vmware.identity.admin.vlsi.PrincipalDiscoveryServiceImpl$27.call(PrincipalDiscoveryServiceImpl.java:844) [sso-adminserver-7.0.0.jar:?]
        at com.vmware.identity.admin.vlsi.util.VmodlEnhancer.invokeVmodlMethod(VmodlEnhancer.java:186) [sso-adminserver-7.0.0.jar:?]
        at com.vmware.identity.admin.vlsi.PrincipalDiscoveryServiceImpl.findGroupAccount(PrincipalDiscoveryServiceImpl.java:844) [sso-adminserver-7.0.0.jar:?]
        at sun.reflect.GeneratedMethodAccessor555.invoke(Unknown Source) ~[?:?]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_402]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_402]
        at com.vmware.vim.vmomi.server.impl.InvocationTask.run(InvocationTask.java:99) [vlsi-server-7.0.0.jar:?]
        at com.vmware.vim.vmomi.server.common.impl.RunnableWrapper$1.run(RunnableWrapper.java:47) [vlsi-server-7.0.0.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_402]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_402]
        at java.lang.Thread.run(Thread.java:750) [?:1.8.0_402]
2025-05-22T03:45:08.030Z ERROR ssoAdminServer[803:pool-2-thread-24] [OpId=6afa2e35-42e8-4cf2-a3b9-36b1f1c656e9] [com.vmware.identity.idm.server.ServerUtils] Caught an unexpected exception

 

Environment

vSphere 7

vSphere 8

Cause

The LDAP service account password, used to set up the LDAP connection, has expired.

This prevents vCenter from connecting to the Active Directory domain, resulting in authentication failure.  

Resolution

To resolve this issue: 

  • Reset the service Account password on the Active Directory side.  
  • On the vCenter, re-establish the LDAP/s connection with the new password for the service account.
    • Administration --> Users and Groups --> Configuration --> Identity Provider --> Click on the LDAP configuration and Edit.
    • Input the service user's new password and click Add as shown below: 
      • Note: If LDAPs is used, it is a mandatory requirement to add the LDAP server certificate(s). 

 

Powered by Wolken Software